On (14/06/16 08:56), Jakub Hrozek wrote: >On Mon, Jun 13, 2016 at 06:06:00PM -0400, Rob Crittenden wrote: >> Nathan Peters wrote: >> > I have confirmed that on both CentOS 6.8 and CentOS 6.7 that if the group >> > is a POSIX group, it can be used in sudo rules. >> > If the group is a 'normal' group it will fail when used in sudo rules. >> > >> > This is really silly because in a previous version of CentOS (6.3) sudo >> > rules would fail if the group was POSIX, and work if the group was >> > 'normal'. >> > >> > I'm not sure when this changed because we still have CentOS 6.7 machines >> > that are working fine with the non posix groups. >> > I did notice that in sssd 1.13.3-22.el6 sudo fails with non posix groups >> > And with 1.12.4-47.el6_7.7 sudo works with non posix groups >> > >> > So now FreeIPA exists in a really funky state where if you are below >> > CentOS 6.4 you MUST use non POSIX groups and If you are on CentOS 6.7 and >> > above, you must use POSIX groups. >> > >> > So basically, you need to roll forward your entire infrastructure to >> > CentOS 6.7 or above or else your old machines will suddently start failing >> > sudo logins when you udate the groups or your new machines will simply >> > fail with groups that worked on your old ones. >> > >> > Can you please confirm what the intended behavior is because I would >> > rather not go through the trouble of re-creating all our sudo / hbac rules >> > and user groups... >> >> Jakub already stated that this would be bug if it only worked with POSIX >> groups, so you've confirmed that. >> >> If you have a Red Hat subscription I'd open a support case and ask to be >> added to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1336548 > >Because that bug is private (sorry, there's some RH customer data there) >and because you also confirmed it's an issue, I cloned the bugzilla to >our upstream Trac: > https://fedorahosted.org/sssd/ticket/3046 > >I'm sceptical we will have a fix this week, we're trying to meet a >deadline at the moment, but we will try to come up with a fix either late >next week or the one after. > >I'm sorry about the inconvenience. I wonder if, as a temporary >workaround, you could point sssd to the compat tree using >ldap_sudo_search_base? > Yes, it worth a try. We switched from compat search base to native search base for sudo in 1.13.x
But many things were changed in sudo; it neend't help. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
